Hack The Box - Irked

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Irked%20Box%20bfe443dfa33149dc8787370ddb4e1154/Untitled.png

NMAP

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Irked%20Box%20bfe443dfa33149dc8787370ddb4e1154/Untitled%201.png

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Irked%20Box%20bfe443dfa33149dc8787370ddb4e1154/Untitled%202.png

⇒ On webpage we didn’t find anything interesting except a note saying something about IRC.

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Irked%20Box%20bfe443dfa33149dc8787370ddb4e1154/Untitled%203.png

Exploiting UnrealIRCd

⇒ Lets check if this version of UnrealIRCd is backdoored or not

Reference : https://nmap.org/nsedoc/scripts/irc-unrealircd-backdoor.html

nmap -d -p6697 --script=irc-unrealircd-backdoor.nse 10.10.10.117

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Irked%20Box%20bfe443dfa33149dc8787370ddb4e1154/Untitled%204.png

Looks like its vulnerable.

⇒ Exploit : https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor

→ Ran it and got a shell :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Irked%20Box%20bfe443dfa33149dc8787370ddb4e1154/Untitled%205.png

Privilege Escalation to User

→ We found an backup file in an user Documents folder

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Irked%20Box%20bfe443dfa33149dc8787370ddb4e1154/Untitled%206.png

Password : UPupDOWNdownLRlrBAbaSSss

→ Looks like its an password for steganography. There was an image named irked.jpg on the website lets try run steghide on it using the password we got

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Irked%20Box%20bfe443dfa33149dc8787370ddb4e1154/Untitled%207.png

→ SSH’ed in as user djmardov

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Irked%20Box%20bfe443dfa33149dc8787370ddb4e1154/Untitled%208.png

Privilege Escalation to Root

⇒ We have SUID on /usr/bin/viewuser

→ Running strings on the binary we see that it runs /tmp/listusers binary. We can leverage this to escalate our privileges to root.

⇒ Exploiting the SUID

→ listusers.c

int main(int argc, char **argv) {
	setuid(0);
	system("/bin/sh -i");
	return 0;
}

→ Compiling it and running viewuser again :

https://raw.githubusercontent.com/CsEnox/csenox.github.io/master/img/Irked%20Box%20bfe443dfa33149dc8787370ddb4e1154/Untitled%209.png